Autonomous Driving Cybersecurity: Is the Risk of Remote Vehicle Hijacking Real?

Author:Thomas Keller | Last updated: April 24, 2026| Reading time: 11 minutes

“Could someone hack your car from a thousand miles away and take control?”Before 2025, answering that question still meant citing the 2015 Jeep Cherokee case — a story that was already a decade old. By 2026, we no longer have to lean on ancient history.

Multiple independent research teams have published entirely different attack paths within a single year. Waymo, according to its February 2, 2026 funding announcement, now operates a growing fleet of autonomous vehicles across multiple U.S. cities. Tesla’s over-the-air architecture has made remote vehicle access a standard feature rather than a sci-fi scenario.

The real question isn’t whether remote takeover is possible. It’s how wide that path has become, who’s walking it, and whether the industry has actually locked the doors.

Is the Risk Real — A Few Recent Cases Say More Than Any Theory

Why That 2015 Jeep Cherokee Keeps Getting Brought Up

The famous 2015 experiment by Charlie Miller and Chris Valasek accomplished three things at once. It proved a remote attack required zero physical contact. It showed attackers could seize control of the powertrain while the vehicle was moving. And it forced a recall of 1.4 million vehicles (source: Wired, July 21, 2015, “Hackers Remotely Kill a Jeep on the Highway”).

That moment set the tone for the entire field of automotive cybersecurity. But ten years have passed, and the attacker’s toolbox has long since outgrown that old Uconnect infotainment exploit.

From 2025 to 2026, Attack Paths Have Become Far More Diverse

In October 2025, Kaspersky presented the results of a security audit on a vehicle manufacturer at its Security Analyst Summit. The findings were publicly reported by NewAgeBD on April 14, 2026.

The researchers discovered a SQL injection vulnerability in a publicly accessible application built by a third-party contractor. The vulnerability itself was not unusual. What made it deadly was the cascade that followed.

The SQL injection yielded credentials that gave access to the automaker’s backend systems. Through a misconfigured firewall and weak passwords, the attackers eventually gained full control over the vehicle’s CAN bus. That meant remote gear shifting and engine shutdown while driving were both on the table.

As Kaspersky senior researcher Artem Zinenko stated in the NewAgeBD report: “This breach demonstrates that a weak link in a contractor’s infrastructure can escalate into full, remote control over all connected vehicles.”

Around the same period, French cybersecurity firm Synacktiv demonstrated another route, as reported by CVETodo on August 21, 2025. By sending a specially crafted radio signal to the tire pressure monitoring system, they triggered the vehicle computer into accepting a malicious firmware update. This path bypassed every conventional network firewall, because the tire pressure sensor is a hardware component the vehicle has no choice but to trust.

Then came VillainNet.

In January 2026, a research team from Georgia Tech officially published the VillainNet study at the ACM CCS 2025 conference, as reported in Georgia Tech Research News on January 27, 2026. The study targets the AI “SuperNetworks” used in autonomous driving — massive models that dynamically call on billions of specialized sub-networks to handle different scenarios like rain, highways, or night driving.

The threat is chillingly simple. An attacker only needs to poison one of those billions of sub-networks. David Oygenblik, the project lead and a Georgia Tech PhD student, explained in the university’s research release: “An adversary needs to attack only one of these micro tools. The backdoor remains completely dormant across a vast number of normal configurations and only activates when that specific sub-network is called upon.”

The trigger condition can hide inside a search space of up to 10 quintillion possibilities. Detecting such a backdoor requires 66 times the computational effort of normal verification — practically infeasible with current technology.

It’s worth noting that VillainNet remains a proof-of-concept study rather than a demonstration on a deployed system. Its real significance lies in exposing a structural weakness: any party that can touch the training pipeline in the supply chain may be able to plant a backdoor.

A related concern surfaced in April 2026, when Australia’s CSIRO Data61 team published a paper on the “Quiet Intruder Method” (arXiv:2604.14963). Their research shows how injecting invisible noise into raw sensor data — cameras, radar, lidar — can make target objects silently disappear from the AI’s perception. No system alarm triggers. The manipulated AI keeps reporting that everything is normal.

What the Existing Cases Can and Cannot Tell Us

The numbers paint a sobering picture — but they need careful reading.

VicOne’s 2026 Automotive Cybersecurity Report (published February 11, 2026) recorded 610 automotive-related security incidents and 1,384 vulnerabilities in 2025. Cross-regional, multi-enterprise incidents tripled year-over-year, reaching 161.

Upstream Security’s 2026 Global Report (released February 18, 2026) tallied 494 publicly reported incidents, with ransomware accounting for 44 percent — more than double the previous year’s share. The report specifically notes that ransomware attacks are moving from corporate IT systems to the vehicle itself, with real cases in mid-2025 of attackers gaining remote vehicle control through companion apps and demanding ransom.

But here is the critical distinction.

These figures cover the entire automotive ecosystem — automaker IT systems getting breached, owner data leaks, charging station malware. The vast majority do not involve real-time remote control of a moving vehicle.

Cases that truly amount to “remote control of a vehicle in motion” remain almost entirely proof-of-concept demonstrations by security researchers. The 2025 Kaspersky case was a controlled security audit. The 2015 Jeep Cherokee was benevolent research. Neither was a malicious crime.

This distinction directly shapes how an ordinary car owner should assess their own risk.

Why Today’s Cars Are Softer Targets Than Those a Decade Ago

The Attack Surface Hasn’t Just Grown — It’s Been Completely Redrawn

Ten years ago, attacking a car meant plugging your laptop into the OBD-II port.

Today, a vehicle with L2+ driver-assistance features carries Bluetooth, 5G/Wi-Fi, cloud APIs, and in some models, V2X communication modules — all open simultaneously. VicOne’s 2026 report confirms the shift: in-vehicle systems now account for 39.7 percent of attacks, overtaking corporate IT as the primary target.

Upstream’s February 2026 report offers even starker figures: 92 percent of automotive cyberattacks are now carried out entirely remotely. 86 percent require no physical proximity to the target vehicle.

But the easiest attack surface to overlook isn’t a technical interface. It’s the organizational boundary.

Kaspersky’s 2026 industry forecast explicitly warns that attackers increasingly prefer supply-chain attacks — breaching automakers through compromised contractor systems. The 2025 Stellantis data breach was a textbook example. Attackers accessed user privacy data through a third-party service provider’s platform. The vulnerability sat inside a small, under-resourced company somewhere in the procurement chain, not inside the vehicle itself.

Adding AI Doesn’t Just Add Features — It Redefines What “Intrusion” Even Means

VillainNet changes how we understand automotive cyberattacks.

A traditional attack exploits a software vulnerability, leaving at least some traceable footprint. A VillainNet backdoor is embedded in the AI model itself. The attacker poisons training data or model weights. The backdoor succeeds in 99 percent of activation scenarios, yet remains completely invisible among billions of sub-networks before activation.

Upstream CEO Yoav Levy told TMCnet in February 2026: “AI is a double-edged sword — the auto industry is an early adopter of physical AI, but AI also gives attackers the ability to move faster, at larger scale, and with more automation.”

The CSIRO “Quiet Intruder” research points to a different kind of AI fragility. It’s not about hacking the control systems. It’s about deceiving the AI into seeing obstacles that don’t exist, or failing to see pedestrians that do. This is a threat category fundamentally different from traditional cyberattacks.

Commercial Value Is the Best Bait for Attackers

The hardware inside a single robotaxi costs between $150,000 and $200,000 — an order of magnitude more than an ordinary private car. Fleet downtime brings daily revenue loss, passenger liability claims, and brand trust collapse, all priced far higher than the vehicle assets themselves.

In January 2026, the ransomware group 0apt attacked automaker Kinetic Auto Makers, threatening to leak autonomous driving source code and user location data (as reported by DeXpose, January 31, 2026). Something like this would have been unheard of five years ago. Today, it sits on Kaspersky’s official threat forecast for the automotive sector in 2026.

Then there’s the Jaguar Land Rover case.

On August 31, 2025, JLR was hit by a massive ransomware attack. According to the company’s subsequent financial disclosures and reporting by Automotive News Europe, the attack forced its Solihull and Halewood plants to shut down for several weeks. Direct costs ran to roughly £200 million. The quarterly loss hit an estimated £485 million. Around 5,000 organizations worldwide were affected, several suppliers went bankrupt, and JLR had to arrange an additional $4.69 billion in loans just to stay operational.

This attack didn’t involve remote vehicle control. But it proved the auto industry is now a high-value target — and that reality inevitably breeds more attempts aimed at the vehicles themselves.

How the Industry Is Responding

2026 — The Year Regulations Went from Suggestions to Gatekeepers

2026 marks a watershed.

The UN R155 (cybersecurity) and UN R156 (software updates) regulations under the UNECE WP.29 framework now cover over 54 contracting parties, including the EU, Japan, South Korea, the UK, and Australia. The regulations took effect in 2022. As of July 2024, all new vehicle types in the EU market must fully comply.

In the UK, according to TUV NORD briefing materials published in April 2026, new vehicle types must meet R155 and R156 requirements starting June 1, 2026. The ISO/SAE 21434 standard provides the industry with a full-lifecycle security engineering framework, from concept phase to end-of-life.

In the United States, the federal government has never directly adopted UN R155. But the 2026 SELF DRIVE Act (HR 7390), tracked by GovTrack.us as of February 5, 2026, includes a provision requiring manufacturers to submit a “Safety Case” that incorporates cybersecurity mechanisms — effectively building a parallel regulatory framework.

The shared logic of these regulations is worth noting: they no longer demand that a vehicle be “unhackable.” That’s physically unrealistic. Instead, they require manufacturers to possess a complete capability to identify, assess, and mitigate cyber risks — and to respond when an incident occurs.

Defense in Depth — A Concept Borrowed from IT Is Being Grafted onto Cars

Leading automakers and Tier 1 suppliers now commonly deploy a six-layer defense architecture.

The first three layers focus on prevention. Hardware Security Modules (HSM) and secure boot ensure each ECU independently verifies firmware signatures. Network isolation physically separates the infotainment domain from the powertrain domain. Encrypted communication and mutual authentication secure the data flowing between components.

The next two layers handle detection and safe updates. Intrusion detection systems use CAN bus voltage fingerprinting and AI-driven behavioral analysis to monitor for anomalies. Secure OTA update channels make sure every software package passes multiple layers of signature verification.

The final layer is response. Security Operations Centers and incident response mechanisms can remotely isolate a compromised vehicle and push hotfixes.

There is also a forward-looking concern worth mentioning. In an article published by All About Circuits on January 16, 2026, technical author Federico Fiaschi noted that algorithmic agility for post-quantum cryptography has become a central topic. Existing encryption systems need to begin preparing for migration well before quantum computing becomes practical.

Where the Defenses Are Still Weak

Three stubborn weak spots remain largely unresolved.

First, supply chain security. A single Tier 3 supplier can become the Achilles’ heel — the SQL injection case Kaspersky demonstrated is a textbook example. VicOne’s 2026 report recommends treating a Software Bill of Materials (SBOM) and an AI Bill of Materials (AI BOM) as compliance-grade assets.

Second, legacy vehicles. Many existing models were designed based on the security assumptions of a decade ago. Their architectural flaws cannot be fully rewritten over the air.

Third, the human factor. Multiple intrusions in 2025 traced back to the same root causes: unchanged default credentials, unaudited API configurations, and multi-factor authentication left disabled.

The problem isn’t the blueprint. It’s the foundation.

What Should You, as an Ordinary User, Actually Care About?

If You Drive a Private Car with L2 Driver Assistance

Your real risk surface is limited. But three habits are worth building.

First, keep your vehicle’s system updated. Most publicly known vulnerabilities already had a patch by the time they were first disclosed. Delayed patching is where the real risk lives.

Second, be cautious with third-party OBD devices and “feature-unlocking” tools. In early April 2026, as reported by Electrek on April 9, Tesla classified the use of third-party FSD unlocking devices on Model S and Model X as a “cybersecurity threat” and remotely disabled the affected features. That is a precedent worth paying attention to.

Third, when you receive a cybersecurity recall notice from your automaker, treat it exactly like a brake recall. Book the fix immediately.

If You Frequently Ride in Robotaxis

You don’t need to assess the risk yourself. Regulators are already doing that job.

Waymo, Cruise, and other leading operators in California can only operate once their Safety Case passes review, which includes a cybersecurity assessment. In Europe and Japan, a robotaxi cannot operate unless the service vehicle has passed UN R155 type-approval certification.

What you really need to check isn’t the technical details. Look at whether the service operates in a city with a clear regulatory framework. That alone is a meaningful risk filter.

If You Follow the Auto Industry or Invest in It

2026 is the year mandatory compliance deadlines have fully arrived across the world’s major markets.

The growth of the automotive cybersecurity market has a structural driver. It isn’t consumer demand. It’s regulation. That means demand will continue to grow even if consumer awareness remains low.

At the same time, two emerging areas deserve sustained attention: AI backdoor attacks like VillainNet, and supply-chain attacks. Both could reshape security assessment standards within the next five years.

FAQ

Q1: Could my car really be remotely controlled while I’m driving?

Theoretically, yes. The 2015 Jeep Cherokee proved remote engine shutdown is possible, and the 2025 Kaspersky-reported vulnerability pointed to remote CAN bus access. But as of April 2026, all known attacks of this nature have been controlled demonstrations by security researchers. There is no public record of an ordinary driver suffering physical harm from a malicious remote attack. Your risk of an accident from driver fatigue is vastly higher.

Q2: Are self-driving cars easier to hack than regular cars?

The attack surface is larger. But autonomous vehicles also face far more intensive security oversight and penetration testing than ordinary cars. The risk depends on the manufacturer’s investment in security, not the level of automation itself.

Q3: Has a Tesla ever been successfully hacked?

Researchers have demonstrated remote intrusions on Teslas multiple times under controlled conditions. Synacktiv achieved remote code execution through the tire pressure sensors in 2025 (reported by CVETodo, August 21, 2025). Earlier discoveries included GPS spoofing and Bluetooth stack vulnerabilities. All were benevolent research. Tesla typically pushes patches quickly and maintains a full in-house security team with a bug bounty program.

Q4: Are OTA updates themselves secure?

This is exactly what UN R156 exists to regulate. The regulation requires manufacturers to establish a Software Update Management System with firmware signature verification as a basic requirement. That said, no signature mechanism is absolutely foolproof against human configuration errors.

Q5: What can I do to protect my connected car?

Keep your vehicle’s system and companion app on the latest version. Avoid plugging in third-party OBD devices from unknown sources. Enable two-factor authentication on your vehicle app accounts. Periodically review your vehicle’s permission settings and revoke unnecessary app access. If you get a cybersecurity recall notice, act on it immediately.

Q6: Which countries do UN R155 regulations cover?

UN R155 applies to UNECE member states that have signed the 1958 Agreement, covering around 60 countries and regions including the EU27, the UK, Japan, South Korea, and Australia. The United States has not directly adopted UN R155. Instead, it maintains a parallel regulatory framework through NHTSA guidelines and federal legislation, including the cybersecurity provisions in the 2026 SELF DRIVE Act (per GovTrack.us, February 2026).

References

[1] Georgia Institute of Technology. (2026, January 27). Researchers Warn AI ‘Blind Spot’ Could Allow Attackers to Hijack Self-Driving Vehicles. Georgia Tech Research News. https://research.gatech.edu/researchers-warn-ai-blind-spot-could-allow-attackers-hijack-self-driving-vehicles

[2] Kaspersky ICS CERT. (2026, April 14). Kaspersky finds security flaws threatening vehicle safety. NewAgeBD. https://www.newagebd.net/print/post/281267

[3] Upstream Security. (2026, February 18). 2026 Global Automotive and Smart Mobility Cybersecurity Report. TMCnet. https://www.tmcnet.com/usubmit/2026/02/18/10334396.htm

[4] VicOne. (2026, February 11). 2026 Automotive Cybersecurity Report. Kiteworks. https://www.kiteworks.com/cybersecurity-risk-management/vicone-2026-automotive-cybersecurity-report/

[5] Fiaschi, F. (2026, January 16). Defending the Digital Highway: Cybersecurity for Software-Defined Vehicles. All About Circuits. https://www.allaboutcircuits.com/industry-articles/defending-the-digital-highway-cybersecurity-for-software-defined-vehicles

About the Author

Thomas Keller is a vehicle security researcher based in Stuttgart, Germany, with roughly 12 years of experience in automotive electronic architecture and cybersecurity assessment. He previously worked as a system security engineer at Bosch and later joined an independent security testing lab. Keller holds a degree in electronic engineering from the Karlsruhe Institute of Technology and now works as a senior cybersecurity consultant at Vector Consulting, advising European automakers on vehicle security architecture. His technical commentary appears regularly in Automotive World and Elektronik automotive.

Disclaimer

This article is for informational and educational purposes only and does not constitute cybersecurity advice, investment advice, or legal advice of any kind. The cases, data, and industry analyses cited come from third-party security research institutions, academic papers, and publicly available reports. The author has made every effort to ensure accuracy but makes no guarantee as to the completeness, timeliness, or absolute precision of the information. Specific protective measures for vehicle cybersecurity should be based on professional security assessments. Specific companies mentioned are used solely as industry case studies for analysis and illustration and do not represent a recommendation or endorsement. The author and publishing platform accept no liability for any actions taken in reliance on the information contained in this article.

Related Articles

L3 Autonomous Driving Accidents: Who Is Actually Liable? https://zhongtaiserver.zhongtongtec.com/storage/WebsiteAdmin/view/2026-04/autotriad.com/driving/l3-autonomous-driving-accidents-who-is-actually-liable.html